The Federal Reserve Bank of New York works to promote sound and well-functioning financial systems and markets through its provision of industry and payment services, advancement of infrastructure reform in key markets and training and educational support to international institutions.
The Outreach and Education function engages, empowers and educates the Second District communities that the Bank serves, especially civic leaders, students, educators, small business owners, policymakers and the general public. It furthers the Bank's commitment to the region by listening to the communities we serve and leveraging our unique attributes to positively impact school and university programs, as well as analysis and research.
Outsourcing IT and Business Processes: A Supervisory Primer
Banking organizations' use of third-party service providers is not new. However, recent trends—such as an increase in the scope of IT outsourcing arrangements, the growth of business process outsourcing and the rise in cross-border arrangements—have generated increased focus on outsourcing.
This primer aims to bring together and summarize existing supervisory and recent industry publications related to outsourcing. It is organized as follows:
Summary: This new Booklet supplements the November 2000 issuance, "Risk Management of Outsourced Technology Services," and is one of a series of 12 IT Handbook Booklets that are being issued as revisions to the 1996 Information Systems Handbook. It discusses how institutions should manage outsourced information technology relationships, from an initial risk assessment through on-going monitoring. It also includes discussions on special topics, such as business continuity, information security, multiple service provider relationships and outsourcing to foreign service providers. FFIEC Handbooks can be viewed or downloaded from: FFEIC IT Handbook InfoBase
FFIEC announced via Federal Reserve Supervisory Letter SR 00-17
Summary: The guidance outlines the processes banks should use to manage the risks associated with outsourcing technology services and discusses four key elements of such processes—risk assessment, selection of service providers, contract reviews and monitoring the service provider relationship. This guidance contains many of the same sound practices and recommendations set forth in SR Letter 00-04, "Outsourcing of Information and Transaction Processing," which was issued by the Federal Reserve on February 29, 2000.
Summary: This SR letter reiterates and clarifies the Federal Reserve's expectations regarding the management of outsourced information and transaction processing activities by banking organizations, either to affiliated institutions or third-party service providers. Operations addressed under this supervisory letter include the origination, processing, and settlement of payments and financial transactions, information processing related to customer account creation and maintenance, as well as other information and transaction processing activities that support critical banking functions, such as lending, deposit-taking, fiduciary, or trading activities. The scope of SR 00-04 is broader than that of SR 00-17. For example, it contains a section, "International Considerations," that discusses, among other topics, supervisory access to information regarding the outsourced activity ("...the Federal Reserve expects that these arrangements will be established in a manner that does not diminish the ability of U.S. supervisors to review effectively the domestic or foreign operations of U.S. banking organizations and the U.S. operations of foreign banking organizations").
Summary: This bulletin provides guidance to national banks on managing the risks that may arise from their outsourcing relationships with foreign-based third-party service providers. It also addresses the need for a national bank to establish relationships with foreign-based third-party service providers in a way that does not diminish the ability of the OCC to access, in a timely manner, data or information needed to effectively supervise the bank’s operations.
Summary: This bulletin provides guidance to national banks on managing the risks that may arise from their business relationships with third parties. It supplements, but does not replace, previous guidance on third-party risk. The principles presented are largely derived and adapted from supervisory principles that the OCC or the federal banking agencies have already issued. A bank’s use of third parties to achieve its strategic goals does not diminish the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws. Many third-party relationships should be subject to the same risk management, security, privacy, and other consumer protection policies that would be expected if a national bank were conducting the activities directly.
Summary: This document provides guidance on third party arrangements, whether they occur between affiliated or unaffiliated entities. The bulletin informs institutions that the OTS expects directors and management to effectively manage risks that arise from all types of third party arrangements. It also notifies thrifts that OTS examiners will review internal controls and management of third party arrangements during the course of regularly recurring safety and soundness examinations, and will request appropriate corrective action, when needed, to ensure that the arrangements satisfy safety and soundness standards.
Summary: This document is intended to serve as a resource for banks in addressing specific challenges relating to selecting an information technology service provider. The content was prepared not as examination procedures or official guidance but as an informational tool for community bankers.
Summary: This document is intended to serve as a resource for banks in addressing specific challenges relating to managing multiple information technology outsourcing arrangements. The content was prepared not as examination procedures or official guidance but as an informational tool for community bankers.
Summary: As community banks outsource more of their mission critical applications, properly managing the relationships between financial institutions and technology service providers becomes increasingly important. This brochure discusses the Service Level Agreement (SLA) as an effective tool for managing the risks associated with technology outsourcing and describes practices for measuring and monitoring service providers’ performance.
Summary: This paper summarizes industry practices to manage and mitigate the applicable risks. It reviews outsourcing, or the use of third-party service providers, as a business strategy that is being considered more frequently by financial institutions as they respond to an increasingly competitive marketplace. This paper laid the groundwork for subsequent supervisory guidance issued by the Federal Reserve and other banking agencies.
Summary: The purpose of this paper is to identify banks' risk management roles and responsibilities with respect to cross-border E-Banking. Additionally, the paper focuses on the need for effective home country supervision of cross border activities as well as continued international cooperation between banking supervisors regarding such activities.
Summary: This 124-page paper provides a comprehensive "Framework" for developing and managing outsourced relationships. It consists of 9 sections that address topics such as the business decision to outsource IT services (Section 2), due diligence considerations (Section 4), contractual, service level and insurance considerations (Section 5) and considerations for cross-border outsourcing (Section 9). Its 7 appendices include a mapping of the BITS Framework to Federal banking agency guidelines (Appendix 2) and a Disaster Recovery/ Business Continuity Matrix (Appendix 5).
Summary: The document notes that many service providers supply receiver companies with security assessments or audit reports to help the receiver company understand the appropriateness of the service provider's controls. However, receiver companies often perform their own due diligence and review processes to fill gaps in their assessment requirements, and service providers often receive additional, and sometimes inconsistent, demands for information about their operations from multiple receiver companies. The purpose of this matrix is to provide financial institutions, service providers, and audit and assessment organizations with a comprehensive set of expectations to reduce risk, facilitate compliance with regulatory requirements and eliminate gaps in the audit or assessment process.
1 The Federal Financial Institutions Examination Council, or FFIEC, is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS) and to make recommendations to promote uniformity in the supervision of financial institutions. 2 BITS is a consortium that shares membership with the Financial Services Roundtable, which represents the interests of large integrated financial services companies operating in the U.S. Its membership, which is limited to approximately 100 firms, consists of representatives from the bank-based, insurance, securities and diversified industry sectors.